Skip to main content
CVE 2024

Palo Alto Networks PAN-OS GlobalProtect Remote Code Execution (CVE-2024-3400)

VIP10 PointsCVE-2024-3400
Start this lab on Hackviser

Overview

Palo Alto Networks PAN-OS GlobalProtect Remote Code Execution, tracked as CVE-2024-3400, affects specific PAN-OS versions and GlobalProtect configurations. Because PAN-OS runs on perimeter firewall infrastructure, successful exploitation can give attackers a high-impact foothold at the network edge.

Vulnerability Overview

CVE-2024-3400 is a command injection vulnerability caused by arbitrary file creation behavior in the GlobalProtect feature of Palo Alto Networks PAN-OS. Under affected versions and feature configurations, an unauthenticated remote attacker may execute arbitrary code with root privileges on the firewall.

Palo Alto Networks states that the issue applies only to PAN-OS 10.2, 11.0, and 11.1 firewalls configured with a GlobalProtect gateway, GlobalProtect portal, or both. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted.

Impact

The vulnerability is rated Critical with a CVSS 3.1 score of 10.0. Successful exploitation can allow unauthenticated root-level code execution on a firewall.

Because the affected component is often internet-facing, CVE-2024-3400 was actively exploited and is listed in the CISA Known Exploited Vulnerabilities catalog.

Vulnerability Scope

The affected branches are PAN-OS 10.2 before 10.2.9-h1, PAN-OS 11.0 before 11.0.4-h1, and PAN-OS 11.1 before 11.1.2-h3 when GlobalProtect portal or gateway functionality is configured. Device telemetry does not need to be enabled for the firewall to be exposed to this vulnerability.

The highest-risk systems are internet-facing GlobalProtect deployments running affected PAN-OS versions that have not been patched or mitigated according to Palo Alto Networks guidance.

Lab Focus

This Hackviser lab focuses on understanding how a command injection flaw in a perimeter security product changes the risk model. You will practice identifying affected PAN-OS and GlobalProtect conditions, interpreting fixed release levels, and connecting root-level firewall compromise to edge security hardening.

Resources